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Programmers embrace contracts. They can use the language they 
know and love to formulate logical assertions about the behavior of 
their programs. They can use the existing IDE infrastructure to log 
contracts, to test, to debug, and to profile their programs. 

The keynote presents the challenges and rewards of supporting 
contracts in a modem, full-spectrum programming language. It 
covers technical challenges of contracts while demonstrating the 
non-technical motivation for contract system design choices and 
showing how contracts and contract research can serve practicing 
programmers. 

- ^ - 

The remainder of this article is a literature survey of contract re¬ 
search, with an emphasis on recent work about higher-order con¬ 
tracts and blame. 



arly Contracts. Pamas (1972) suggested 
the use of logical assertions to describe 
software components. Meyer (1991; 1992) 
implemented the first full-fledged con¬ 
tract system and developed a matching 
software engineering philosophy, design 
by contract. 


Findler and Felleisen (2002) introduced contracts to the functional 
programming world, generalizing them to higher-order languages, 
and introduced the ideas of blame and boundaries as independent 
concepts worthy of study. 



emantics. Findler and Felleisen used an 
operational model for contracts and did 
|| not define a notion of contract satisfac- 
l. Blume and McAllester (2006) rec- 
|| ognized this lack and responded with a 
quotient model, shedding light on the 
special status of the contract that does 
) checking. In parallel, Findler and 
Blume (2006) investigated contracts as Scott projections, thanks 
to a timely question from Bob Harper in 2002. Dimoulas and 


Felleisen (2011) countered from an observational equivalence per¬ 
spective and pointed out that software engineering and formal 
methods naturally deal with different satisfaction relations. 
Greenberg et al. (2010) studied dependent contracts, showing how 
there are natural variations hiding in Blume and McAllester’s 
model. Dimoulas et al. (2011) designed a new combinator to moni¬ 
tor dependent contracts that assigns blame correctly when a depen¬ 
dent contract violates part of itself. Dimoulas et al. (2012) extended 
this model to introduce a notion of contract system completeness, 
i.e., a contract system that accounts for all possible violations. 


aziness. Contracts in lazy languages lead 
to complex and interesting semantic ques¬ 
tions. As a hint at the complexity, con¬ 
sider a function that does not explore all 
of its argument, but where the unexplored 
part is rejected by the contract. Should 
this be a violation? Chitil et al. (2003) 
take the negative answer and show how 
to delay checks until the program observes the values that trigger 
the violation. Chitil and Huch (2006) later refine their technique 
to eliminate accidental sequentiality in the contract specification it¬ 
self. Degen et al. (2012) tackle this question head on, showing that 
a contract system cannot report contract violations for all of the 
values that influence the program’s final result without introducing 
unwanted strictness. 




eatures. Sophisticated language features 
demand sophisticated contract systems 
and more nuanced ways to assign blame. 
Data structures require care to avoid ex¬ 
cessive performance overhead (Findler et 
al. 2007). 

Delimited and composable control opera¬ 
tors provide new ways for values to flow 
and thus require special contract support (Takikawa et al. 2013). 


Classes and object systems also lead to new concerns for contracts, 
from behavioral subtyping (Findler and Felleisen 2001; Findler et 
al. 2001) to support for first-class classes (Strickland and Felleisen 
2010; Strickland et al. 2013). 
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ragmatics. Strickland and Felleisen (2009) 
explore the crucial pragmatic question of 
how to draw boundaries between compo- 

A number of researchers have also ex¬ 
plored parametric polymorphic contracts 
(Guha et al. 2007; Matthews and Ahmed 
2008; Ahmed et al. 2011), using the idea 
that runtime sealing is the dynamic analog of polymorphic type 
checking. 



mplementation. Herman et al. (2007) 
demonstrate how contract implementa¬ 
tions break tail-recursion and design a 
virtual machine that recovers it. 
Strickland et al. (2012) show how to add 
primitive interposition support to a run¬ 
time system that is strong enough to sup¬ 
port contracts, but weak enough to avoid 


breaking guarantees of the underlying programming language. 


Dimoulas et al. (2013) demonstrate how to give programmatic con¬ 
trol for enabling and disabling contract checks to balance checking 
with performance. 


radual Typing. The most active applica¬ 
tion of contracts is gradual typing (Flana¬ 
gan 2006; Tobin-Hochstadt and Felleisen 
2006; Siek and Taha 2006), which ex¬ 
ploits dynamic contract checking so pro¬ 
grammers can incrementally add types to 
untyped programs. Gronski and Flana¬ 
gan (2007) clarified the relationship be¬ 
tween gradual types and contracts. 

Findler et al. (2004) gave an early instance of gradual typing, 
showing how structural and nominal OO type systems can coexist. 
Gradual typing can be viewed as an interoperability problem, based 
on Matthews and Findler (2007)’s notion of a boundary. Tov and 
Pucella (2010) use this perspective to connect a language with 
an affine type systems to a simply-typed one using contracts that 
exploit mutable references to track how often resources are used. 
Wadler and Findler (2009) and Dimoulas et al. (2012) refined 
the proof techniques for the Blame Theorem for gradually typed 
calculi, which ensures that either blame for a contract violation lies 
on the side with the weak type system or that the type is too strong. 
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